BeyondTrust Patch Tuesday

May 14, 2013

Microsoft Patch Tuesday

This month, Microsoft released 10 patches that repair a total of 33 vulnerabilities. Of these vulnerabilities, there were 24 remote code execution vulnerabilities, three elevation of privilege vulnerabilities, three information disclosure vulnerabilities, a denial of service vulnerability, a spoofing vulnerability, and an authentication bypass vulnerability.

Microsoft Rating:

CVE List:

Analysis:

This bulletin addresses 11 privately reported vulnerabilities in Internet Explorer: 10 remote code execution vulnerabilities and an information disclosure vulnerability. The patch fixes multiple use after free vulnerabilities, as well as an issue that occurs when reading JSON files. An attacker that successfully exploited the remote code execution vulnerabilities would gain user level access to the target machine.

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones.

Microsoft Rating:

CVE:

CVE-2013-1347

Analysis:

This bulletin addresses a publicly disclosed remote code execution vulnerability in Internet Explorer. The patch fixes a use-after-free vulnerability that occurs when rendering specially crafted content. An attacker that successfully exploited this vulnerability would gain user level access to the target machine. This vulnerability has been exploited in the wild.

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, apply the "CVE-2013-1347 MSHTML Shim Workaround" provided by Microsoft. Alternatively, block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones.

Microsoft Rating:

CVE:

CVE-2013-1305

Analysis:

This bulletin addresses a privately reported denial of service vulnerability in the HTTP.sys component of Windows Server 2012. The patch fixes an issue that occurs when parsing HTTP headers, which could cause the server to enter into an infinite loop. An attacker that successfully exploited this vulnerability would be able to cause the target server to stop responding.

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, block TCP ports 80 and 443 at the perimiter firewall and disable the IIS service if it is no longer necessary.

Microsoft Rating:

CVE List:

CVE-2013-1336 and CVE-2013-1337

Analysis:

This bulletin addresses two privately reported vulnerabilities in the .NET framework: a spoofing vulnerability and an authentication bypass vulnerability. The patch fixes how digital signatures are validated for XML files, and fixes how .NET creates policy requirements for authentication. An attacker that successfully exploited the XML signature spoofing vulnerability would be able to modify the contents of an XML file without causing the signature of the XML file to become invalidated.

Recommendation:

Deploy patches as soon as possible; no reasonable mitigation is available.

Microsoft Rating:

CVE:

CVE-2013-1302

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in Lync. The patch fixes a use after free vulnerability that occurs when accessing an in-memory object that has already been freed. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

Recommendation:

Microsoft Rating:

CVE:

CVE-2013-1301

Analysis:

This bulletin addresses a privately reported information disclosure vulnerability in Visio. The patch fixes the way that Visio handles XML external entities that are resolved in other XML external entity declarations, which can occur when parsing specially crafted XML files. An attacker that successfully exploited this vulnerability would be able to read arbitrary data from files on the affected system.

Recommendation:

Deploy patches as soon as possible; no reasonable mitigation is available.

Microsoft Rating:

CVE:

CVE-2013-0096

Analysis:

This bulletin addresses a privately reported information disclosure vulnerability in Windows Essentials. The patch fixes the way that Windows Writer handles certain URL parameters. An attacker that successfully exploited this vulnerability would be able to override Windows Writer proxy settings, as well as files on the system accessible to the current user.

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, install the Microsoft Fix it solution, "Disable the Windows Writer".

Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege (2840221)

Microsoft Rating:

CVE List:

CVE-2013-1332, CVE-2013-1333, and CVE-2013-1334

Analysis:

This bulletin addresses three privately reported elevation of privilege vulnerabilities in Windows kernel mode drivers. The patch fixes a double fetch vulnerability, a buffer overflow vulnerability, and a window handling vulnerability. A local attacker that successfully exploited the window handle vulnerability would be able to execute code in an elevated context.

Recommendation:

Feedback

The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.

Disclaimer

The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice

Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.